tracetop shows a live update of the busiest flows over time, performing a similar function to the 'top' tool in Unix.


     [ -f exp, --filter=exp ]
     [ -s len, --snaplen=len ]
     [ -p mode, --promisc=mode ]
     [ --bits-per-sec ]
     [ --percent ]
     [ -i secs, --interval=secs ]
     inputURI [inputURI ...]


-f, --filter
Apply a BPF filter to the input trace(s).
-s, --snaplen
Snap captured packets to the given length.
-p, --promisc
If 1, enable promiscuous mode on the input (if supported). If 0, disable promiscuous mode.
Display flow bandwidth as bits per second.
Display flow bytes and packets as a percentage of total traffic.
-i, --interval
Wait this many seconds between updates. Defaults to 2 seconds.


Monitoring a live network to pick out large flows

tracetop -p 1 --percent --bits-per-sec int:eth0


  • If tracetop is run against a trace file, it will operate in trace time (i.e. preserving all timing gaps that were between the packets when they were originally captured).
  • tracetop is a nice way to get a quick look at how your network is performing and what might be using up all your bandwidth.